Blog

You might have read somewhere online today that Google is granting Android app developers powers to forcefully install app updates…but it is not true.

Instead, the tech giant is providing a new feature that will help users to have up-to-date Android apps all the time and yes, it’s optional.

Along with the launch of a number of new tools and features at its Android Dev Summit 2018, Google has also launched the a new API, called “In-app Updates,” which aims to help developers ensure that users are running the latest and greatest version of their app.

“We’ve heard that you’d like more controls to ensure that users are running the latest and greatest version of your app. To address this, we’re launching an In-app Updates API,” Google said.

How Does Android’s New In-app Updates API Work?

It should be noted that the Android’s new In-app Updates API doesn’t force or lock out users from the app if they chose not to update it.

Instead, the API has been designed to aggressively inform users about the latest available updates and give them a smooth in-app installation experience without closing the app or opening the Google Play Store.

As explained by Aurash Mahbod, Google’s director of engineering, in the above video, the In-app Updates API gives Android developers two ways to push a new update to their users, as explained below:

1) Immediate in-app update (for critical patches) — App developers can display a full-screen message to their users informing them of a new update, which users can choose to download (if they want) and install immediately right then and there, within the app itself, before they can use the app.

For obvious or whatever other reasons, users can deny to update immediately and continue using the app, in case they are not connected to Wi-Fi or are low on the battery.

2) Flexible in-app update (for regular updates) — Using this option, Android app developers can display a small “available update” notification to users, giving them an option to accept it and then keep using the app while the new version app is downloaded in the background.

Once the app is downloaded, it will get installed the next time the user re-opens the app.

Flexible update also gives users the “Not Now” option, which users can select in case they don’t want to install the update.

The concept is good and definitely not new, as many applications already have custom mechanisms to determine if users are running an outdated version, then prompt them to install the latest version from the Play Store. However, the new API makes this whole process standard, smooth and easy, giving users a great new experience.

Aurash also said the company is currently testing the In-App Updates API in Google Chrome for Android and is making the new API available to developers who are early access partners. It will be available to all developers soon.

Google also says that Android developers will have the ability to completely customize the update flow so that it feels like part of your app, which indicates that all apps will not have the same in-app update experience.

Facebook is reportedly looking to acquire a major cyber security firm following a massive breach that compromised data from 30 million accounts.

The company has approached several unnamed cyber security providers about potential acquisitions, according to The Information.

Facebook’s push to ramp up its security comes in the wake of what it termed its biggest cyber security breach ever that affected user phone numbers, email addresses and recent searches.

The social media giant, after a preliminary review, says the hack was likely carried out by spammers, according to the Wall Street Journal, not a state-sponsored attack as some had feared.

The hackers were able to exploit a vulnerability in the platform’s “View As” feature that lets users see what their profile looks like to other users, depending on their privacy settings. The hackers were able to gain access codes to user accounts without having their passwords.

Facebook has said that it’s working with the FBI about the breach.

The hack came after a difficult year of setbacks for Facebook, starting with revelations that Russian trolls had manipulated its platform in an attempt to influence the 2016 presidential election.

Facebook hit a nadir during the Cambridge Analytica scandal when it was revealed that the British research firm improperly obtained user data from 87 million Facebook accounts which were then allegedly used for voter suppression efforts and other election-related actions.

Cyber One Solutions is very excited to announce that we have partnered up with @ConnectWise to deploy their Business Management Software packages @QuosalQuote, @ScreenConnect and @LabTechSoftware to run our IT and Managed Services more efficiently.

Late last month Facebook announced its massive security breach that allowed an unknown group of hackers to steal secret access tokens for millions of accounts by taking advantage of a flaw in the ‘View As’ feature.

At the time of the initial disclosure, Facebook estimated that the number of users affected by the breach could have been around 50 million, though a new update published today by the social media giant downgraded this number to 30 million.

Out of those 30 million accounts, hackers successfully accessed personal information from 29 million Facebook users, though the company assured that the miscreants apparently didn’t manage to access any third-party app data.

Here’s How Facebook Classified the Stolen Data:

Facebook vice president of product management Guy Rosen published a new blog post Friday morning to share further details on the massive security breach, informing that the hackers stole data from those affected accounts, as follows:

For about 15 million Facebook users, attackers accessed two sets of information: usernames and contact information including phone numbers, email addresses and other contact information depending on what users had on their profiles.

For about 14 million Facebook users, attackers accessed an even wider part of their personal data, including the same two sets of information mentioned above, along with other details users had on their profiles, like gender, language, relationship status, religion, hometown, current city, birth date, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches.

A remaining 1 million Facebook users did not have any personal data accessed by the attackers.

Besides this, Rosen also added that the attackers had no information to data from “Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.”

Moreover, hackers also were not able to access any private message content, with one notable exception—If a user is a Facebook page administrator who had received or exchanged messages from someone on Facebook, the content of those messages was exposed to the attackers.

Here’s How to Check If You Are One of 30 Million Affected Users

Facebook said users can check whether they were affected by the breach by visiting the social network’s Help Center.

Facebook also added that the company will directly inform those 30 million users affected to explain what information the attackers might have accessed, along with steps they can take to help protect themselves from any suspicious emails, text messages, or calls.

So far the identity of the hackers remains unclear, but Rosen said Facebook is working with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities to investigate who might be behind the breach or if they were targeting anyone in particular.

Bristol Airport has blamed a ransomware attack for causing a blackout of flight information screens for two days over the weekend.

The airport said that the attack started Friday morning, taking out several computers over the airport network, including its in-house display screens which provide details about the arrival and departure information of flights.

The attack forced the airport officials to take down its systems and use whiteboards and paper posters to announce check-in and arrival information for flights going through the airport and luggage pickup points for all Friday, Saturday, and the subsequent night.

“We are currently experiencing technical problems with our flight information screens,” a post on the Bristol Airport’s official Twitter feed read on Friday.

“Flights are unaffected and details of check-in desks, boarding gates, and arrival/departure times will be made over the public address system. Additional staff are on hand to assist passengers.”

The airport also urged passengers to arrive early and “allow extra time for check-in and boarding processes,” though this two days technical meltdown caused delays in baggage handling, with customers needed to wait longer than one hour for their bags.

However, no flight delays were reportedly caused due to the cyber attack.

An airport spokesman said that the information screens went offline due to a so-called “ransomware” attack, though he confirmed that no “ransom” had been paid to get the airport systems working again.

“We are grateful to passengers for their patience while we have been working to resolve issues with flight information this weekend. Digital screens are now live in arrivals and departures. Work will continue to restore complete site-wide coverage as soon as possible,” the airport tweeted on Sunday.

At the moment, it is not clear how the ransomware got into the airport systems. Bristol is carrying out an investigation to find out what happened.

The notorious hacking group behind the Ticketmaster and British Airways data breaches has now victimized popular computer hardware and consumer electronics retailer Newegg.

Magecart hacking group managed to infiltrate the Newegg website and steal the credit card details of all customers who entered their payment card information between August 14 and September 18, 2018, according to a joint analysis from Volexity and RiskIQ.

Magecart hackers used what researchers called a digital credit card skimmer wherein they inserted a few lines of malicious Javascript code into the checkout page of Newegg website that captured payment information of customers making purchasing on the site and then send it to a remote server.

Active since at least 2015, the Magecart hacking group registered a domain called neweggstats(dot)com on August 13, similar to Newegg’s legitimate domain newegg.com, and acquired an SSL certificate issued for the domain by Comodo for their website.

A day later, the group inserted the skimmer code into the Newegg website at the payment processing page, so that it would not come into play until or unless the payment page was hit.

So, when customers add a product in their shopping cart, enter their delivery information during the first step of the check-out, and validate their address, the website takes them to the payment processing page to enter their credit card information.

As soon as the customer hit submit button after entering their credit card information, the skimmer code immediately sends a copy that data to the attacker’s domain, i.e., neweggstats(dot)com without interrupting the checkout process.

Newegg Hack May Affect Millions of Customers

The attack affected both desktop and mobile customers, though it is still unclear how many customers were actually hit by this credit card breach.

However, considering that more than 50 million shoppers visit Newegg every month and that the malicious code was there for over one month, it could be assumed that this Magecart newest card skimming campaign has possibly stolen the payment information on millions of Newegg customers, even if only a fraction of those visitors make purchases.

Earlier this month, the Magecart hacking group breached the British Airways website and its mobile application and managed to walk away with a bounty of sensitive payment card data from 380,000 victims.

“The skimmer code [used in the Newegg breach] is recognizable from the British Airways incident, with the same basecode,” RiskIQ researchers said.

“All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways.”

In the Newegg case, the hackers used smaller skimmer code of “a tidy 15 lines of script,” since it only had to serialize one form.

If you are one of those Newegg customers who entered their credit card details on the website during the attack period, you should immediately contact your bank, block your payment card, and request for a replacement.

However, the way Magecart is scooping up payment card data from popular services with relatively little efforts suggests that Newegg probably will not be its last target.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Apple announced the iOS 12 release date at its iPhone XS launch event, and it’s scheduled for today, Monday, September 17.

Of course, you could have tested it early with three iOS 12 launch phases: one for developers, one for public beta testers, and one final version launching today.

First, the developer beta launched at WWDC and got more frequent refreshes, but it was early software. You have to be a registered Apple developer, which costs $99 for the annual membership. It’s for people who like to tinker with Xcode and make apps.

Second, iOS 12 public beta was the one most people will want to test out. It launched on June 25 and was completely free. It’s less problematic than the developer beta. The downside compared to iOS 12 developer beta? Apple’s public betas are always one step behind what the developers have access to.

Third, today’s final software is going to roll out to everyone. There’s no need to jump through hoops to enroll in a beta. iOS 12 is going to be here in its final form.

iOS 12 reliability

Apple’s looking to put the problematic iOS 11 behind it

Older iPhones will be 40% to 70% faster at certain tasks

iOS 12 focuses on reliability and performance with this update, and support all of the same iPhones and iPads that iOS 11 worked with.

Apple called out the iPhone 6 Plus, specifically, saying iOS 12 makes this phone 40% faster at launching apps, 70% faster at launching the camera app, and 50% faster at displaying the keyboard. Keyboard typing and other routine features on older iPhones can slow down with every new iOS update, and Apple is looking to change these pain points with iOS 12.

This makes your existing iPhone and iPad more reliable, and your older devices can be used by family members or be sold now that they’ll be more function with iOS 12. They don’t have to sit in a drawer because they’re too slow.

iOS 12 is 200% less annoying on iPhone X

Here are two irksome features we hated about iOS 11 on the iPhone X that iOS 12 is going to fix. The final software is going to feel 200% less annoying when it launches.

Closing app windows in iOS 12 is now easier thanks to the fact that all you have to do is slide up on an open app to dismiss it from the multitasking menu. iOS 11 had us press down on the app until red close icons appeared over top of each app, and then to tap those little red icons to dismiss the app. That was unpleasant.

Second, whenever we picked up our phone, we’d always pressed the volume up and power button accidentally, which is the new ‘take a screenshot’ button combination. Apple has disabled this action whenever the phone screen is off. Our iOS 12 Photos app is no longer going to be filled with errant screenshots on the daily.

iOS 12 compatibility

Compatible with iPhone 5S, iPad mini2 and iPad Air and newer

11 iPhones, 10 iPads, 1 iPod touch – the broadest iOS update yet

iOS 12 will run on all devices that have its 64-bit chipset, including the iPhone XS, iPhone XR and iPhone XS Max, which was first introduced in 2013. It’ll work on the iPhone 5S and newer, while the iPad Air and iPad mini 2 are the oldest iPads that are compatible with iOS 12.

That’s means this update is supporting 11 different iPhones, 10 different iPads and the sole iPod touch 6th generation still clinging to life. It’s the broadest support for a software update Apple has ever offered, and this is one of the biggest advantages Apple has over Android phones.

ARKit 2 and multiplayer gaming

ARKit 2 allows for ‘shared experiences’ (multiplayer potential)

LEGO, Fender, Adobe and Pixar are all working on AR with Apple

iOS 12 cements Apple as a leader in augmented reality (AR) with the arrival of groundbreaking multiplayer capabilities it calls Shared Experiences in ARKit 2.

These multi-user virtual environments are coming to ARKit, allowing for multiplayer gaming and experiences through iPhones and iPads. iOS 12 is going to create a more collaborative (and competitive) way of experiencing AR.

LEGO demoed a four-player game, pledging that it was in when it came to Apple’s “creative play possibilities.” Players were involved in building up an AR town. It was like The Sims was reimagined for the future.

ARKit 2 opens up AR to hundreds of millions of users, according to Apple, and that makes iOS 12 the broadest AR platform in the world. We got a taste of AR last year, but multi-user virtual environments bring more advanced tools and gameplay.

iOS 12 pinpoints 911 calls in the US

You won’t have to worry about reciting your exact location when calling 911 in the US thanks to iOS 12. It’ll pinpoint your whereabouts during emergency calls.

Apple says it’ll “automatically and securely” share your iPhone location with first responders, but only with them and only during such emergencies. It’s an effort to reduce response time, yet maintain your privacy.

New ‘Measure’ app and USDZ file format

New USDZ file type dedicated at augmented reality

Measure app for iOS 12 to replace your measuring tape

‘Measure’ is getting its own AR app. It uses the iPhone’s and iPad’s advanced sensors to measure objects in front of you, including suitcases, as shown in the first iOS 12 demo. All it takes it just tap-and-drag along the edges of the object on the screen.

It can also automatically detect the approximate dimensions of a photo – we can imagine that will help when you go to buy a photo frame, but can’t find the old-fashioned tape measure. iOS 12 to the rescue.

For AR developers, Apple has created a new file type called ‘USDZ.’ The company worked on USDZ with Pixar, and Adobe is supporting it, too. The file format can be shared across FIles, Mail, Messages and Safari. This is an important step forward for developers working on AR apps.

Camera app changes

Apple didn’t announce big camera changes at its WWDC 2018 keynote, but later said that the default camera app will get tweaked with iOS 12.

The Portrait Lighting mode on newer iPhones with a dual-lens camera will look more natural. The software will be able to define crisper edges by more effectively separating a person from a background scene. Apple is also allowing third-party apps to use the software to separate the foreground and background.

It’ll be the end of an era for our how to scan a QR code from your iPhone and iPad guide. The default camera in iOS 12 makes QR code reading automatic.

And while not part of the camera app, RAW photos can be imported and managed on an iPhone and iPad, with the bonus ability of editing RAW photos on an iPad Pro.

Photos app is now smarter with iOS 12

Betters search and a new ‘For you’ tab

Suggestions on who to share photo collections with

Share back suggestions nudge friends to send their photos

The Photos app is expanding search in an effort to compete with Google Photos. It recognizes photos by event and indexes them accordingly. Apple says it takes into account over four million events, citing the Aspen Ideas Festival as a niche example.

This lets you search by event without any thankless manual tagging. Searching by event joins other smart suggestions, including filtering by people, places, and relative dates (searching via Siri works with all of these and is quite handy).

The iOS 12 Photos search capabilities have also been broadened to let you use multiple search terms at once. Seeking “dog, animal” should weed out all of your gourmet hotdog results (this is a real problem we just tested on iOS 11).

A new tab ‘For you’ is coming to the iOS 12 Photos app, filled with personalized suggestions on how to improve and share your pictures. Sharing has gotten smarter, letting you share at full-resolution and suggesting who to share these photos with.

Share back suggestions is a neat feature that lets you send photos to a friend, and it uses machine learning to poke them to send photos they took to you. iOS 12’s photos sharing uses iMessage’s end-to-end encryption.

iPad switches to iPhone-like gestures

It’s confusing owning both an iPad and a new iPhone X right now because returning to the home screen and opening Control Center are executed by different gestures.

The iPad takes cues from the iPhone X with the iOS 12 update: swipe up from the bottom to return home and check Control Center by pulling down from the top right-hand corner.

This may be a prelude to the iPad Pro 2018 that’s rumored to include Apple’s True Depth camera for Face ID, Animoji and Memoji.

Siri Shortcuts can find your lost keys, more

Siri Shortcuts allows you to assign phrases to tasks

‘I lost my keys’ can ring your Tile tracker to find keys

‘Heading home’ sends ETA notification to roommate, sets thermostat and fan, and brings up the fastest route through Apple Maps

Gallery and library full of pre-configured Siri Shortcuts

Siri is getting smarter. It‘ll know that “I lost my keys” means to ring your Tile tracker. Tile is a handy gadget, but getting to the app is a pain, and having Siri integrated is a game-changer for both Tile and our peace of mind.

Siri is going to be filled with shortcuts, so much so that Apple is creating a shortcuts app for iOS 12. It’ll suggest coffee orders from the place you always order from and message contacts to tell them you’re running late, and there’s also Kayak-based flight information you can call up via voice. By pressing the add to Siri button, you can then say “Travel plans” and Siri will read back information such as your hotel address.

Apple’s IFTTT-like Siri Shortcuts app was always in closed beta testing during the iOS 12 developer and public beta, and that meant we couldn’t dive into it until the final software. Stay tuned for our expanded impressions on it soon.

Siri translates new languages, learns motorsport scores

Siri can now translate over 40 language pairs

Motorsports scores, schedules and stats knowledge

Food and celebrity facts knowledge expanded upon

Password search not part of Siri’s duties in iOS 12

Try asking Siri to translate something into Spanish. It works, and with iOS 12 it’ll be even more robust with over 40 language pairs to aid your international travels.

We really hope Siri will be able to translate foreign words into English (that’s not possible with iOS 11 at this time when asking Siri what ‘hola’ means in English).

Siri will also learn the language or motorsports, per se. Asking for Formula One and NASCAR information will have Siri recite live standings, schedule, roster and stat info.

Food knowledge and celebrity facts are also part the Siri update. Right now, asking “How healthy is fish” gives a smatter of search results and requires opening up Siri. In the future, a specific answers about food will come from the USDA database, citing calories, vitamins, and how healthy the food is overall.

Password hunting is now within Siri’s grasp, letting you search any saved passwords, according to Apple. This applies to both apps and websites.

Apple News, Stocks, Voice Memos and CarPlay

Apple News: new Browse tab and sidebar navigation

Stocks: robust chart design and stock news integration

Voice memos: easier menus, iCloud support, on iPad (finally)

CarPlay: third-party app support, like Google News and Waze

Apps are indeed getting updates with iOS 12, starting with Apple News. There’s a new Browse tab and a sidebar for better navigation. Stocks is finally being rebuilt with a helpful news design, complete with charts and Apple news headline integrated into into stocks. The top stories will be business news curated by Apple News editors.

Voice Memos is coming to iPad (as well as macOS), and it’ll get iCloud support, long overdue changes. Now you won’t have to AirDrop conversations between devices in order to listen back. It’ll also be easier to assign names to voice clips thanks to an overhauled Voice Memos redesign.

Apple Books is the new name for iBooks, allowing you to pick up reading where you left off and a new store interface to browse buy ebooks and audio books.

CarPlay is going to support third-party applications, with Waze and Google Maps appearing on-screen. Apple didn’t call out the Google-owned apps by name, but they were there on the screen. This was a major highlight of iOS 12.

Using your iPhone less

Do Not Disturb during bedtime to hide visual display of notifications

Instant tuning to send future notifications silently or turn them off

Reports give a weekly activity summary on how you use iOS 12

Breakdown: ranks app usage, highest phone pick up times (and what app draws you in first), and apps that send you the most notifications

Set self-imposed time limits via reminders and temporary app blocking

Limit kids time in apps by category or individual apps via Family Sharing

Apple is expanding its Do Not Disturb capabilities with a cleaner ‘Do Not Disturb During Bedtime’ mode. It’ll silence not just the notification delivery sounds, but also the visual notifications clutter that can distract you when you’re trying to sleep.

The lockscreen remains clear until you unlock your iPhone in the morning. You can allow certain apps to break through, just like with DND mode right now. Apple refers to these as critical alerts, and they’re opt-in.

Do Not Disturb options aren’t one-size-fits all, either. It can now automatically end in an hour, at the end of the day, when you leave a certain location, or at the end of a meeting in your calendar. iOS 12 even makes the DND moon icon in Control Center have 3D Touch support to act as a shortcut to all of these options.

Instant Tuning is an iOS 12 feature you’ll love if you’ve ever gotten a notification from an app you always seem to dismiss (HQ trivia, breaking news alerts, etc), but don’t have time to turn off future notifications in the many submenus of Settings. Apple is allowing you to control individual app notification profiles right from the lockscreen, without making you leave what you’re doing.

Deliver Quietly is an option within Instant Tuning, and it’ll allow you to choose to have notifications delivered silently Notification Center by default so you’re not interrupted by alerts on the lockscreen. It’s a nice in between option.

Siri can help clean up your messy lockscreen with notification delivery suggestions based on how you interact with notifications. Siri will understand which notifications it should deliver prominently and which ones to send to Notification Center. It’s like IOS 12’s version of ‘clean up your desktop’ system nudges.

Screen time is Apple’s take on limiting your iPhone use – how much time you’re spending on apps, which apps you use the most, and which apps are sending you the most notifications.

To give you a little extra help, Apple has created app limits. You can set your own limit, with a notification letting you know when time is almost up. A ‘Time is up’ message will display when you’ve reached your self-imposed-Siri-assisted limit.

Parents can create limits for kids with Allowances, time-of-day-based downtime controls, and category controls. Education and essential message apps can also be green lit thanks to an always-allowed settings.

The best part? Setting limits for your kids uses Family Sharing, so you can manage it all remotely from your parental device – no need to get hold of your 12-year-old kid’s phone to execute on these new iOS 12 controls.

Smartly grouped by app, topic, thread. Tap in to look at a particular group

Can clear a whole group of notifications with a single swipe

Grouped notifications are coming to iOS 12. This is a small, but important update (maybe the most important iOS 12 update) announced at the Apple WWDC keynote.

It binds together notifications by message threads and topics, making it easier to see everything at a glance. Right now, individual notifications in the morning are a big pain to check as they pile up.

Animoji changes and new Memoji

Tongue and wink detection for iOS 12 Animoji

Four new Animoji masks: Ghost, Koala, Tiger and T-Rex

Personalized ‘Memoji’ to look like you or ‘the real you’

Animoji and Memoji clips last 30 seconds (up to 10 seconds)

Animoji is expanded, not just with new masks, but with tongue detection (as seen on stage) and wink detection (not announced, but confirmed for iOS 12 afterward). Ghost Koala, Tiger and T-Rex will be joining the cast of Animoji masks.

Memoji is a thing, too. It’s a customizable mask that can look like you – or the real you, according to Apple. It still resides in Messages. You can select hairstyles, eye color and accessories like earrings and sunglasses. Like Animoji, this is an iPhone X only feature due to requiring Apple’s True Depth front-facing camera.

Group FaceTime (now launching later)

Group FaceTime for up to 32 people with dynamic UI

Can use Animoji and Memoji in FaceTime

Won’t launch with the final software on day one

Group FaceTime is coming to iOS 12 with up to 32 participants, and you go directly from a group chat to a group FaceTime in the Messages app.

Update: Apple has delayed the launch of iOS 12 Group Notifications, according to release notes indicating that it’ll come out this ‘fall’. To us, that sounds like an iOS 12.1 launch – like Apple Pay, Apple Cash, AirPlay 2 and other features didn’t make it live on day one in previous operating system updates.

People can drop in and drop out at any time. The interface is filled with tiles that can expand, and ‘the roster’ along the bottom for everyone else in the Group FaceTime chat. When people start to speak, their window gets bigger, even if they’re in the bottom roster of participants. It works on iPhone, iPad and Mac, and you can even answer on the Apple Watch and HomePod with just audio.

Animoji is coming to FaceTime and Group FaceTime. You’ll of course need to update to iOS 12 and an iPhone X, iPhone XS, iPhone XS Max or an iPhone XR to make that magic happen.

That’s a wrap for new iOS 12 features.

The two biggest highlights were Grouped notifications and Group FaceTime with Memoji. Of course, Group FaceTime is not due to launch just yet, which means an inevitable iOS 12.1 and more updates for us to write about.

Just a few minutes ago Microsoft released its latest monthly Patch Tuesday update for September 2018, patching a total of 61 security vulnerabilities, 17 of which are rated as critical, 43 are rated Important, and one Moderate in severity.

Four of the security vulnerabilities patched by the tech giant this month have been listed as “publicly known” and more likely exploited in the wild at the time of release.

CVE-2018-8475: Windows Critical RCE Vulnerability

One of the four publicly disclosed vulnerabilities is a critical remote code execution flaw (CVE-2018-8475) in Microsoft Windows and affects all versions Windows operating system, including Windows 10.

The Windows RCE vulnerability resides in the way Windows handles specially crafted image files. To execute malicious code on a target system, all a remote attacker needs to do is just convince a victim to view an image.

Given its severity and easiness of exploitation, you can expect an exploit targeting Windows users in coming days.

CVE-2018-8440: Windows ALPC Elevation of Privilege Vulnerability

The latest patch update also addresses an “important” zero-day vulnerability in Windows Advanced Local Procedure Call (ALPC) that was publicly disclosed last week on Twitter.

If exploited, the flaw (CVE-2018-8440) could allow a local attacker or malicious program to gain and run code with administrative system privileges on the targeted machines.

According to Microsoft, the flaw is actively being exploited in the wild and requires immediate attention. The proof-of-concept (PoC) exploit for this privilege escalation flaw in Windows is available on Github.

CVE-2018-8457: Scripting Engine Memory Corruption Vulnerability

Another publicly disclosed flaw is a remote code execution vulnerability (CVE-2018-8457) in the scripting engine, which exists when the scripting engine fails to properly handle objects in memory in Microsoft browsers, allowing an unauthenticated, remote attacker to execute arbitrary code on a targeted system in the context of the currently logged-in user.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft explains.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

This month patch update also includes patches for two critical remote code execution vulnerabilities in Windows Hyper-V, a native hypervisor for running virtual machines on Windows servers.

Both the flaws (CVE-2018-0965 and CVE-2018-8439) exist when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.

Both RCE vulnerabilities can be exploited by a malicious guest user by running a specially crafted application on the virtual operating system to eventually execute arbitrary code on the host operating system.

Patch All Microsoft Software Vulnerabilities

Besides this, Microsoft has also pushed security updates to patch a critical remote code execution vulnerability in Adobe Flash Player, details of which you can get through a separate article posted today.

Adobe has labeled the same privilege escalation vulnerability (CVE-2018-15967) as important, while Microsoft marked it as a critical remote code execution flaw.

Users are strongly advised to apply all security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, directly head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Cyber One Solutions celebrated our latest Ribbon Cutting yesterday, September 10 at the new 1100 E NASA PKWY location. We are very excited to join up to the Clear Lake Area Chamber of Commerce and look forward to working with them and their wonderful staff as we continue to grow in the Clear Lake area.

Air Canada has confirmed a data breach that may have affected about 20,000 customers of its 1.7 million mobile app users.

The company said it had “detected unusual log-in behavior” on its mobile app between August 22 and 24, during which the personal information for some of its customers “may potentially have been improperly accessed.”

The exposed information contains basic information such as customers’ names, email addresses, phone numbers, and other information they have added to their profiles.

Passport Numbers Exposed in Air Canada Data Breach

However, what’s worrisome?

Hackers could have also accessed additional data including customer’s passport number, passport expiration date, passport country of issuance and country of residence, Aeroplan number, known traveler number, NEXUS number, gender, date of birth, and nationality, if users had this information saved in their profile on the Air Canada mobile app.

The airline assured its customers that credit card information saved to their profile was “encrypted and stored in compliance with security standards set by the payment card industry or PCI standards,” and therefore, are protected.

However, Air Canada still recommended affected customers to always monitor their credit card transactions and contact their financial services provider immediately if they found any unusual or unauthorized activity.

Reset Your Password

The company estimates about 1% of its 1.7 million people—or about 20,000 users in total—who use its mobile app may have been affected by the security breach.

Although currently, it is not clear how the data breach occurred, if it was a direct breach of Air Canada’s systems, or if it was due to the reuse of passwords from other sites, the airline encourages users to reset their passwords using improved password guidelines, which says passwords should be at least 10 characters long and contain one symbol.

However, as a precaution, the airline has locked down all 1.7 million accounts until all of its customers—even those whose information was not exposed in the breach—change their passwords.

Air Canada has contacted potentially affected customers directly by email starting August 29 to tell them if their account has potentially been accessed by hackers improperly.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.